Lloyd v Google LLC
10th November, 2021
Supreme Court shuts down opt-out representative actions for data breach claims.
The Supreme Court has unanimously ruled that an opt-out representative action against Google should not be allowed to proceed. The decision is welcome news for controllers, as the Court has confirmed that compensation for a non-trivial breach of the Data Protection Act 1998 (“DPA 1998”) will only be awarded if the data subject has suffered some tangible financial loss, or if they have suffered distress.
With the assistance of a third party funder, Mr Lloyd had brought an opt-out representative action against Google to seek damages on behalf of over 4 million iPhone users in England and Wales. The ‘opt-out’ meant that the whole class of affected users was automatically opted-in to the action, unless they specifically opted out.
Mr Lloyd alleged that Google acted in breach of data protection laws between August 2011 and February 2012, by processing personal data unlawfully. The allegations relate to a workaround to the Safari browser, which allowed Google to bypass Apple iPhone privacy settings and track and collect information about users’ browsing activity without their knowledge or consent.
He applied for permission to serve the claim out of the jurisdiction (Google being a US company). Google opposed the application on the grounds that (i) the pleaded facts did not disclose any basis for claiming compensation under the DPA 1998 and (ii) the Court should not in any event permit the claim to continue as a representative action.
Questions for the Court
The Court had to decide whether Mr Lloyd could bring a claim at all on behalf of millions of iPhone users. The Court rules allow an individual to act as a representative on behalf of a defined class of claimants, provided that all of them have the “same interest”. The difficulty for Mr Lloyd was that he was unable to produce evidence of financial loss or distress on behalf of the millions of data subjects. To get around that point, he had suggested that the Court should disregard each class member’s individual circumstances and instead award damages assessed by reference to the hypothetical person least affected by the breach, who he contended should receive an award of £750 in compensation.
What was decided?
The Supreme Court overruled the previous decision of the Court of Appeal, which had indicated that the representative claim should be allowed to proceed.
Lord Leggatt rejected the approach contended for by Lloyd, which was that the ‘loss of control’ of personal data was enough to entitle the class members to damages. He ruled that the proposed approach was fundamentally inconsistent with the wording of section 13 of the DPA 1998, which refers to damage being suffered “by reason of any contravention by the data controller…”. That wording itself differentiates between the breach and the damage, such that that the suggestion that the breach itself was sufficient to found a claim for damages was wrong.
As Mr Lloyd had not attempted to show how Google had wrongfully used the data, nor had he shown any financial loss or distress suffered by the individual class members, the claim could not succeed. That was because, without specific evidence, the Court was not able to determine that damage had been suffered by the class members which was sufficiently serious to warrant an award of compensation.
The Supreme Court’s decision is therefore consistent with the outcome of the UK Government’s 2020 consultation, which ruled out the possibility of introducing a bespoke procedure for opt-out class actions in relation to data protection claims.
What does this case show?
Whilst the Supreme Court ruling relates to the position under the DPA 1998, the position on compensation for damages under the UK GDPR and DPA 2018 is very similar. As such, this case will have a significant impact on the ability of individuals, groups and funders to pursue group data protection claims against private and public sector organisations.
Whilst it will still be possible for individual data subjects and opt-in representative actions to pursue compensation claims arising out of data breaches, Lord Leggatt’s comments on the lack of availability of damages for loss of control emphasise the need for claimants to show evidence of material damage or distress in order to pursue a claim for compensation. In practical terms, this restricts the ability of individuals to bring claims which do not meet that standard.
If you find yourself in a situation where you need advice on data protection matters, our team of commercial and dispute lawyers may be able to help. Contact one of our specialists to find out more.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.